Posted
by
michaelon Sunday November 28, 1999 @07:04PM
from the don't-they-learn dept.

quakeaddict writes "LinuxQuake is now reporting that ID Software has indeed embedded some code to send, among other things, information about our PC's to ID Software. They should ASK before they start gleening information from my system." John Carmack's explanation on the page is unconvincing - video card data is sent independent of support requests and would be impossible to link to some user's email address, so it's useless for support purposes. (more) (update:This isn't as big of a deal as it sounds. read the update)

No, the second writer on LinuxQuake has it right when he says "It's market research." id doesn't care about current support, they want to know what cards to support in their next software release.

But the reason doesn't matter. The important part is that the software is doing something that it doesn't advertise and that isn't necessary for the operation of the software - sending information about your computer back to id software, which is mentioned nowhere in documentation, readme, EULA, website or installation. id calls it research - I call it a trojan horse program, and if I went into id's offices and installed a similar program that reported back to me on their machines, I would go to jail for it. If I convinced id to download and run it, by disguising it as, say, a video game, I'd go to jail for plain old fraud as well as the computer crime. That's 18 USC 47 section 1030, for the curious. It's been used against a number of 1337 d00dz who weren't quite 1337 enough.

So why does id think this is fine and dandy for them to do?

I like id's games, but this is not a joking matter. Software which performs functions beyond its stated activities is uncool (read: illegal), especially when those functions are spying on their users. Any sort of collection of data from user's machines, even relatively mundane data like the type of their video card, should be announced by the software and in the docs, and users should be able to opt out of it. How much bad press is it going to take before softwre companies get a clue? Or will the first hint they get be when an ambitious prosecutor serves a search warrant on them one day?

Update: 11/28 10:41 by michael: From various posts below and email received by yours truly, it looks as though id did have notification of the data-collecting activity in previous releases of the demo test; but not in the most recent one, for whatever reason. Perhaps the story should be about quality control on readme files. The basic point - companies need to be very open and upfront about things like this, even for benign purposes, and give people the option to opt-out - still stands, but it seems that id just made an error rather than tried to hide anything.

Well if such data collection is illegal why not sue 'em? Tell the judge that the program is a trojen horse just like any other and see what happens. With some lobbying you could probably win if the privacy violation was great, say in the case of lots of personal data getting tracked. Id would probably win in this case but not other companies...

He's proven he's got the integrity as a person. This is merely a snafu, or just something he simply deemed wasn't a breach of privacy. Shall we put "Warning, this product sends UDP packets out to the net" labels on everything now?

Come on, it's nothing more than video card information and Quake version. This is hardly a violation of privacy... I read the argument that "that's not the point", and that the software shouldn't do something it doesn't advertise, but I think this is going overboard. Let's not get ridiculous people.

This is harmless. So please, be sensible, don't make it out to be something more than it is.

I would never expected ID software to do such a think. What where they thinking? They could have been so stupid that they didn't consider the bad publisity this will generate. Without doubt this will be do more damage than good for them. Even if they get all the information they wanted. Bet it won't take long before they remove the trojan horse from the software.

ID doesn't have to lose, just the bad PR is enough to do them major $ harm... think about it, first FPS games are (wrongly, imho) connected to things like school shootings, so bad PR like a privacy lawsuit might be one foot in the grave for even big companies like id, thanks to PC and privacy-crazy folks. Not that being privacy crazy is bad, mind you. If parents don't let kids buy Quake VIII, or don't buy it themselves, then I doubt if the./ type buyer is enough to keep id alive..

Personally, I believe that things like this should be allowed, as long as they are mentioned somewhere (product packaging, EULA, etc.). Sometimes data collection is over criticized, such as the original implementation of cookies in Netscape. The bad press that cookies have recieved has rendered a good thing useless; people now reject cookies because they don't understand them. Data collection is overall better for the consumer. If you don't like this policy, all one needs to do is not buy the product. Since you've paid for a product, you have to accept what's included in it (unless it's open source). There shouldn't be any reason that this type of feature should be prevented -- it benefits the consumer. As long as they are not collecting information beyond what they should (credit card numbers, etc.), it provides a way for companies to better adapt their software towards consumers needs.

I think some kind of binding code of practice needs to be swiftly adopted. Specifically, users must be warned in advance if *any* information is going to be collected, generated or transmitted from their machine.

I know that there may be legitimate reasons for a company to want to send information back to their server. But if it is going to happen, then the user absolutely must be informed about it.

It's also yet another good reason to use open source software - that kind of abuse simply can't get past a well informed community based on peere review.

Those companies collecting data for "research" purposes are really getting on my nerves. When it was from Microsoft, I was not surprised at all. From RealNetworks, it was a but more surprising, but not that much. But id Software doing it is really to much, a company which I trusted and I've always been a fan of their games, but that may really make me consider banning all of their games if they do not make the appropriate apologies and publish a fix asap. This is really a case that could be use to see if we could win large damages that would make other companies think a bit more before doing that kind of stuff. Suing RealNetworks or Microsoft may be more appropriate. And I dont buy the argument that it is purely to do market research, because their are many easier ways to find out what the people are using, like having a registration system where I would have the choice (and I would have no problem giving them that information).

This kind of behavior has to stop, it is not admissible and we, as a community aware of the problem should have an active role in the reprobation (boycott) of those companies...

I think it might be too late to do anything about this, really for one major reason.

Most people don't care.

The majority of consumers purchasing software don't really care (or don't know enough to care) about maintaining the privacy of their computer components. A lot of people would gladly trade in a little bit of privacy in order to gain the percieved notion of more robust software.

Most people would not only accept, but also welcome the idea of their software reporting information back about their systems if they were given the explanation that it would make future software run better on their computer.

If people cared about their digital privacy, wouldn't there be a much bigger stink about cookies?

The idea of a game that sends back video card information, for the goal of making future releases work better; isn't that far away from the idea of a site keeping track of your web surfing, for the goal of making your future visits more pleasurable.

I would appreciate it if they would write an explanation of EXACTLY what information they stored. I don't care about my hardware specs. I do care if they grab my email, ip, hostname, username or personal gameplay info. (No... you cannot use my skills as a model for Quake AI)

There is no difference between this, and the User-Agent HTTP header that is sent. Oh, the User-Agent doesn't expose video card, BFD. (but you can sometimes get at screen depth/size depending on browser scripts/java) Most naive users are unaware that info is sent, and browsers don't prompt users either.

The level of paranoia on Slashdot has reached all time high. Next thing you know, ID will be charged with the high crime of recording their player's IP addresses on their central server.

Er, going by the fact that Intel may be blocked from selling the PIII in the EU due to the serial number in each one (see http://www.theregister.co.uk/991128-000002.html) couldn't that affect the release of Q3 in Europe? Though it's not a serial number that they're using, it's the fact that it could in effect be used to track what hardware people are using. If id don't put in a way of disabling this, or at least doing the same as Netscape have done with their feedback software (I forget the name), then it's feasible they could get into trouble for this. I can't see how it can be used purely for support purposes if it's sent irrespective of a problem, and there's no way of linking the information with a helpline caller. Just a few ramblings by someone who can't see how the saving of data could be linked to support...

But you don't "accidentally" program code to check data about a computer and then send it to you. This is not a bug, it's an undocumented feature. A feature I'd prefer didn't exist, and I'm offended that it does. Fortunately I'm willing to let ID off of this, considering that I'd gladly have given them this data had they asked. I would've even attached a name to it. I'm not excusing ID, just saying I'm not going to boycott them.

True, but will that help their image when people tend to go crazy over any type of invasion of privacy, even something this minor? Bad PR builds up and is never good for a company, remember.. Should be a box during install to say "Allow my vid card info to be sent to ID for develoment reasons", imho. and probably unclecked by default..

I agree with the posters who say that video card info isn't really all that big of a deal, BUT (and it's a big one) Since it's not a big deal, couldn't it just pop up a window (first time only) saying I'd like to tell ID that you are using a wiz-bang 5.32 Video card, is that OK?. I'd click yes to that one personally.

Sending without asking is at least rude, and sets a bad precedent. What info will it be next time?

I have to wonder, is that video card data really worth the stink this will cause?

Hmmmm. I wonder how many of the people who bellyache about Quake are also people who use a credit card. Especially one with AirMiles. Or who participate in a grocery store discount card program. Or department store discount card program.

All these things track your purchases, providing the store with valuable information about the spending habits of your demographic.

Hopefully, most of you were clued in about what's *really* being done when you use these cards, and made a knowledgeable, active choice when signing up.

[which is, I guess, my point: iD could easily have done some sort of payback-for-information thing. Perhaps those people who said "yes" to releasing the info/letting iD track them would get a bonus level. Just like Safeway gives you a discount when you give them info about your personal spendng habits.]

I wouldn't call it common knowledge, but I've known the q3tests did this for months. They've never hidden anything, and Carmack has seemed quite clear in other situations in explaining the purpose of the packets sent back to id. They're for identifying the cards so id knows how many users are using specific OpenGL library sets. If you don't want them to know, recompile Mesa to send them another string, or just don't play the game. It's not some dubious conspiracy to steal your secrets. I like it when the author of software cares enough about the product to make sure it will actually run for its users.

I'm not a big gamer, but the q3tests (and the recent demo tests) are very impressive. I'm also a fan of good software, and you can't write software if you don't care what your users want. If you write software that, for example, requires $15,000 worth of graphics hardware to operate, or comes without source code, or only runs on embedded ARM systems, your software is of little use people. If you ignore what your users need, they'll find someone else's software to use. If you're a proprietary software company, you might get all worked up about this, but if you just want better software as a computer user, you end up getting just as little.

Blizzard got sued, but so many people protested the suit, it got dropped. I guess the moral is: if you make really really good games, you can do whatever you want to people's computers and get away with it.

Not to sound like a privacy fanatic... regardless of the intentions, if someone is collecting data about my machine without my consent.. it should not be tolerated. Remember all the well known Quake mod conversions that were shutdown by id.. basically on the grounds that if they don't stop them now, no matter how small a project, regardless if it has no intention to go retail... they could lose their footing in court later on if someone does severely abuse it. This is the same matter.. if something isn't done now, what's to stop them from collecting "a little more information" down the road. cheers

I understand that your video card brand and model number aren't as immediately important to your long range security/privacy as serial numbers and network addresses. But I think that, regardless of the number, it's the principle that's the same. Once people start grabbing some numbers off of your computer while you are unawares, they can start justifying getting more and more information.

The argument that they use to justify getting more and more info is a "slippery slope" argument; if getting some information isn't illegal, then it shouldn't be illegal to get a little more. And finally, they have access to *all* the data that they can grab from you.

Think it won't happen? Think again: information about consumers is about the hottest thing you can have in the industry today. Businesses that lose money are still popular with investors, because they have the *potential* to be in a position to gather this info. (And it's not just today too; I watched Glengarry Glenross again last night; rent it, and watch Pacino, Spacey and others fight over "leads"). The way to stop this kind of abuse is to stop it at its root. Dont' let *any* info get collected without your permission and legal safeguards. That way, you never have to worry about any slippery slope fallacies.

So what IS a violation of privacy then? What type of processor you have? How much diskspace you have left? How about all of those "innocent" things together?We have here a group of people who say, "yeah, well, it's not such a big problem." What they are doing is giving up a small part of their privacy. Instead of protesting against this, the have the idea that it's okay to lose a little of your privacy because you get to play a nice game instead. Remember that whenever you lose some of your freedom or your privacy, you always get something in return, some small thing which you get to have, or get to know. What we must do is resist the urge to say "well, it's not so bad after all," and really stand up to tell them that this is unacceptable behaviour and that we would rather not play their games than lose parts of our privacy.

Yes but these "undocumented features" can truly be called bugs. I'm not talking about stuff like the NSAKey, I agree that MS should be sued over that one, but i'm talking about the constant freezing, the BSOD, etc... all that stuff we don't like.

Anyway, my point is that you don't "accidentally" code a section that gathers data and sends it somewhere. This should not be tolerated, no matter what. Don't boycott ID, I love them, but do send a strong (non-swearing etc) letter to ID protesting it.

What bothers me is that the more companies do this kind of thing, the more and more it will become acceptable. Most people will eventually throw up their hands and stop bitching.

Personally, I hate it. It's a slippery slope. Once we stop bitching about just sending video card info, then next it will be more personal info.

I can see the need for market research. Pine (the e-mail program) collects information over the net, but it ASKS YOU FOR PERMISSION FIRST. I have no problem with this kind of action. It's stuff going on behind my back without my knowledge that spooks me. I should be able to choose to be counted.

I'm sure if, for example, Id wanted to know how many quakers were using each OS, most of us would be damn eager to be counted. Just ask first. Is that so difficult?

Look: They want this information to the point where they're willing to run the risk of pissing people off by taking it without asking. Doesn't that suggest that maybe the information has some intrinsic value?

Doesn't that, in turn, suggest that it's theft?

Your "not a big deal" argument falls flat. If someone breaks into my house and doesn't steal anything except some silverware that I don't want anyhow, does that make it OK? This sounds like 100,000 counts of petty theft to me.

There is more and more software (esp. in the Windows world) which sends 'background information' of whatever type to I-don't-know-whom. What scares me a bit is how automated this has gotten - MS media player 'phoning home' to get new codecs etc. I think that most of the time the user _does_ benefit at least in a way, but I (as an advanced user -- read: I can look at the Options menu and understand what the checkboxes and radio buttons mean) want a switch that says [ ] Don't send user-related information. Better, make it the default that no user-related information is sent (then again, you as a software creator probably won't get much back). The only alternative is to use open-source software only, but you won't have much fun with gaming in that case... I think it's sad that esp. id which has gained so much confidence from the open/free source community in the past does this. A simple note in the README would have been enough. On the other hand, they know how many people look closely at their game (to create third-party tools, maybe even to manipulate gameplay) so that they should have known that somebody would find out sooner or later.

I saw something just like this the other day! I went to this website, and my browser told the server what Web browser, version, and operating system I was using! Then I sent an e-mail and it said what mail program and my domain name!!! And sometimes, when I connect to a Quake server somewhere, it tells the server the exact IP address that I'm playing from!

Programs that just bandy about my personal information like this have to be stopped. Let's all sue iD, Netscape, Microsoft, Real Networks, and any other company that writes programs that send any non-arbitrary information of any kind over the InterNet.

Carmack is saying that the data is used to model the user community, then by correlating that data with the support requests you can tell which platforms are unusually buggy (or stable). The Slashdot summary is being unfair when it characterizes the data as "...useless for support purposes."

Carmack quote from the LinuxQuake page: "It has mostly been for tracking the amount of support we give by video card vendor. For instance, 3dfx and nvidia are about equal in players, but we get 10x the support email for 3dfx users. [...]"

However, this is addressing the question of usage (and even then only with the "mostly" qualifier), not the question of intent. Based on the datagram, the intent is to be able to model the user community, and it is very similar to the data any website could collect about their user population from http headers.

"Another Software Spy" Really should be "Another iD software spy" because they had jepordized security and privacy before.

IIRC, certain versions of Quake 2 for Linux would let anyone from the 192.246.0.0 IP block have remote shell capabilities. If you ran the server as root, you gave someone at iD software your computer on a platter. I read this on a page that listed possible remote exploits and security concerns for Linux a while back, and can't find the link at the moment (it was back in April that I read it).

If true, then iD, while good gaming wise, is certainly not to be trusted. Time to recheck the firewall rules, as having a CM makes it far too easy to let lots of data through.---

The majority of people didn't care that they were paying too much for telephone service in the United States, but something was done about AT&T. Just because the majority of people don't care doesn't mean action can't be taken. The American Revolution was won by a committed minority. In many ways, in a democratic nation, a committed minority is more powerful than an apathetic majority who don't care one way or another.

I can't see it making THAT much difference what is sent - it is the fact they are getting a packet from you whenever you play the game, saying "person at IP address xx.xx.xx.xx is playing Quake". Microsoft would *kill* for the right to do that for their packages....--

I'm sure they didn't have any idea people would freak out. And knowing ID, they follow the community so closely (becasue they are part of it... i mean you can e-mail Carmack if you are really that pissed and he will probably reply), that it will probably be addressed shortly. What is this talk about sueing them? common.. it's ID! I think at this point we should let them know that we are feeling violated, and that they should ask/tell us next time. Knee jerk reactions are anti-productive. It is better to let them know that we don't like it and they they should go no further than to overreact and threaten them.

This, more than anything, shows me that John C. cares about the product that he releases. He's statistically comparing the number of 3dfx support emails per capita to the number of nVidia emails. This absolutely doesn't upset me. I'm not keeping what video card I have or what operating system I'm running a state secret. I'm guessing he didn't give the option of saying no every time it wants to send that information because of at least two reasons: A: It's be fscking annoying. B: All the paranoid people of the world would say no and their support emails in would affect the numbers.

BOOM! Those packets no longer go to id! They are stopped dead in their tracks. Problem solved, end of discussion, battle over, your privacy is (in this case) secure.

Second. Isn't the US Code a criminal law issue? Why take this to civil court? File criminal charges against them. The complacent sheep can argue and flame all day, but they can't stop the law. The law has more money than id. id will back down if they are prosecuted criminally for this behavior, in fact if they even receive an official warning they'll back down and send out a patch to either warn the customer or take out that 'reporting' feature. Then, after the conviction or the backpedal, you sue in civil court with the criminal proceedings to back up your case.

If you are looking to take legal action and you sue id first, they can drown you with legal defense money. Never try and sue a company in civil court first, if you can press criminal charges.

And in case you wondered, I am a long time id software fan. However I am also extremely impartial. It's nothing personal; they not only violated people's privacy, but they also did not inform anyone they were doing it. I am holding off on buying Quake 3 until I know they've patched this and apologized about it.

There is no difference between this, and the User-Agent HTTP header that is sent.

FALSE. An http User-Agent is sent because I told my machine to contact that server. When I launch a game, I am not, in my mind, commanding my system to contact a server unless and until I tell my system to join a network game.

Now, if this packet were sent when you connected to a server, and if id offered servers to play on, and if id then collected the data...

IT WOULD STILL BE WRONG!

The User-Agent header allows the server to better taylor content for my machine. Why would a server care what video card I had?

This is nothing more than another example of the continuing information grab being done on the Internet by unscrupulous individuals.

If Carmak knew about this and didn't fight it, he is a fool. If he didn't know about it until it was out there, he should have come clean, said "mea culpa and we'll remove it in future", and made a model of the marketroid who put this in so we could frag them in effegy.

I am greatly disturbed when companies attempt to record identifying information about me, including IP addresses (which can, with assistance from bullied ISPs, be traced back to the user). I make every effort in all my net-related activities to secure my privacy by dealing only with parties I trust and assuring that those won't improperly reveal who I am to parties whom I don't explicitly give that trust.

While most people aren't so concerned or careful about who knows who they are, the larger issue is that due to these concerns, many companies have begun collecting identifiable information without consent. Misrepresentation of a product's function is wrong and best and criminal at worst.

The information that Q3A transmits is, obviously, harmless. But how hard would it have been for Carmack to come clean with this fact in the beginning? The secrecy is what bothers me, not this particular violation of privacy. If I am given fair warning about what a product or service will tell the world about me, I can evaluate whether I want to use that product and choose to use it or not. I am especially bothered that Carmack, who usually seems to have a clue, wouldn't anticipate the discovery of and negative reaction to this "feature". I, along with most people, fully support his desire to make id's products better by researching end users' hardware. But being underhanded about it with simply foolish.

This has been discussed before, and has been going on with the previous tests.

The message of the day server was intended as a half-assed auto update feature that could be cross platform.

We send a normal message most of the time, but if the version is out of date, we can send a message with telling you where to get the update.

I didn't want to deal with binary auto-updates on three platforms, and I worry a bit about security issues with that in any case.

You can disable it by setting "cl_motd 0" when the game starts up if you really don't want to send anything or see our message.

We added the result of glGetString( GL_RENDER ) to get some much needed information about the distribution of video cards and drivers.

We can see how many people aren't following directions and running glsetup. This is a big support issue.

We can see how many people are running minidrivers, which are going to make our lives a mess in the future.

We can see how many mac (steady 5%) and linux (5%at initial release, tailed off to 2%, probably due to dual booting) people are playing.

Getting this information has been usefull. We can compare the numbers of people playing with a given card with the amount of support emails we field, so we know which vendors (3DFX) we need to give more crap about their driver quality.

You've obviously missed my point. I would've been happy to give ID any information about my video card that they wanted... had they asked for it. I would've told them pretty much anything they wanted to know about my system (I don't have anything important on here:-) but the point is they didn't ask for it... they took it without my knowledge. Don't get me wrong, I love ID, and I am a big fan of their products. This is not going to stop me from buying Linux Q3. I'm simply stating that if they wanted my system's specs, they should've asked first.

The problem I have with it is its not mentioned anywhere. It just does it and was found out by 'accdient'. I really could care less if it was documented. Just putting it in with no mention anywhere is sneaky and underhanded.

Walmart has the largest database in the world about consumers and their purchasing habits. So yes, the stores, some of them at least, are collecting info. One way to avoid this is to use cash, I suppose.

And to add to that, I do NOT appreciate being spyed on, that's what you're proposing. If someone is observing my behavior without my knowledge, I will give them a piece of my mind when I find out. I'm not saying I will boycott their employer just to spite them and try to get them fired. However, If someone wants to know about my behavior, they can ask to spy on me. In this situation, I will say no. However, if someone asked me what kind of video card I had, I'dve gladly told them. It's a different thing. I have no problem giving out data about my system... when someone asks me for it. If someone just takes it from me, not even notifying me that they are, I am pissed. That's how it works.

Sure, a line needs to be drawn - but the line should be whether or not the info. can be traced to you, or can harm you in any way.

That's probably the way it should be in a perfect world with nice helpful people all around and everyone holding hands and sitting on the lawn, but in this world, the line has to be drawn where it can be drawn, not where it should be drawn. It is much, much harder (probably nearly impossible with the current legal system) to make a law about what is too much and what is not that would be clear and failsafe. It is much easier to say that no information outside of the game should be transferred on the internet without the user's express consent.

I wonder how much of a competitive advantage this gives ID? REALLY. Think about it. EVERYBODY played Q3Test, almost everyone is playing Q3DemoTest and tons of people will be playing Q3. Doesn't this give them a huge advantage over the Unreal folks when it comes time to do Q4 and they're trying to figure out what hardware to design at?

Really, John. You Foobared. Fix it and move on. If it's connecting to an extra server and it's not in the Docs, it's a Trojan. Don't make me get my ipchains! If it doesn't work if I firewall out that server, well, I guess I won't be playing (or buying) Q3.

Ask me and I'll tell you. Take it from me and I'll fight you tooth and nail.

Do you revel in the glory of raw socket binding and accepting in order to send only the bytestream you decide? Or do you let someone else do that for you, and consequently accept the effects of the other decisions they make?

Would you want to punish a company that's supporting Linux? It seems that you are raising a lesser evil over a greater good- a tiny violation of your privacy, which I can certainly live with, over id's support of Linux gaming, which I view as a tremendous good.

Some people might say that this would actually be a good thing. After all they are only collecting data on video cards (or so we think). The problem I have with this is that companys seem to be doing this more and more often. Getting bolder as time goes on. If we don't stick up for our rights now, we will lose them without even realizing it. I was going to buy Q3. But now I've decided against it. I refuse to support any company that steals information (no matter what it's purpose), especially without telling us.

I'd like to encourage everyone to write the folks at ID Software and tell them how much you dislike them collecting your computers information. But be polite.

When Quake 3 Arena starts a map up, it sends the GL_RENDERER string to the Message Of The Day server at id. This responds back with a message of the day to the client. If you wish to switch this option off, set CL_MOTD to 0 (+set CL_MOTD 0 from the command line).

Getting this information has been usefull. We can compare the numbers of people playing with a given card with the amount of support emails we field, so we know which vendors (3DFX) we need to give more crap about their driver quality.

I think John Carmack doesn't get it. The information sent in this case is fairly harmless, and I can see that it could be beneficial to me, the gamer. If you asked, I'd probably agree to let you have the information.

But for goodness sake, ask first! If you want something from someone (especially someone you don't know), it's basic courtesy to ask first, even if you think he'll let you have it.

It's NOT that COVERT. You see, if IT WAS covert. THEN they would HAVE made the DATA less VISIBLE to people who ARE looking at THE data STREAM. In fact they COULD have USED a PUBLIC/private KEY encryption SYSTEM to make the DATA unreadable VIA network SNIFFERS. THEN you could BITCH about COVERTLY sending DATA to COVERT secret DOUBLE agent OPERATIVES in some SECRET AGENT type DREAMWORLD.

Any of you played Starseige Tribes [starsiegetribes.com]? If you host a game it sends your CPU speed, amount of RAM, IP address(duh), version number, and a few other tidbits to their server, and even POSTS it on their master game list.

Sending this kind of information has many uses. It lets them know how many people are still using some ancient version, so they can decide how long to keep support for it in their servers.

His comment about being able to compare the number of people using one video card to the number of complaints received is a good one. From a support standpoint, if you get lots of calls saying that my FooBar Monster 512 board doesn't work, you have no idea if it's a really popular card or if the driver/board just sucks. Being able to tell the two apart is really important for delegating how much time is spent, and where to point the blame.

I'm also a video game programmer(the arcade kind, not home games) and could see also lots of uses for this in a client-server game model. Being able to tailor the stream of data sent to a user if you can tell they can't handle it all, or being able to say 'Their card will only handle 16 bit textures at the resolution they've chosen, save them the download time by not giving them 32 bit textures' is one really nice feature that could be used in some games.

I really don't buy the 'This is an invasion of privacy' argument. If any of this included your name, e-mail address, postal address or anything, I'd be concerned. Knowing what video card and which version of software you're using(which is probably important to the server anyway) is about as trivial as you can get.

Also, all of you running Windows have probably given nearly the same info to the authors of GLSetup, if you used the web-install option, because they're able to log who downloaded which drivers, with the same justification as above.

Lots of information is being sent every time you do anything. Send me an e-mail and I can probably tell you what E-mail client you're using, what version of it, and probably what OS you're using. Until it becomes *personal* or *unique* information about myself, I don't see the problem.

The problem with that line of thinking is that it leads to real invasions of privacy anyway.

If we roll over time and again to seemingly benign invasions of privacy, they will become commonplace. What will then stop so called "real" invasions of our privacy? If you then try to stand up and challenge them, companies will point to the fact that you didn't complain when all they asked for was your video card and OS. Besides... its "for our own good."

Rights are like copyrights, if you don't try to enforce them, you lose them.

You know... there's paranoid, and then there's this. Yeah, okay, maybe it wasn't the wisest decision. The folks at id could have let us know, or made it an option, or something. I think it's a little rediculous, though, calling Q3 a "trojan horse program."

Of course, the comment about this data being useless for support reasons raises the question: What if these packets were linked to you personally? Would this have made it all better? No. We'd be reading a similar article right here on Slashdot, only with more fire-and-brimstone to it, about the same invasion of privacy. And if id had mentioned it somewhere? I'll bet someone still would have complained about sending personal information to them. If they left it out completely? They don't get the information on what video cards and platforms are being used. It's a lose/lose/lose/lose situation.

I have a feeling someone will moderate me down for this, but I don't think this is something to turn our backs on id Software for. People need to take a step back and look at the big picture. The reasons for sending this information have been explained. Overall, it seems to me like this will make for a better product and easier updates. If you don't like it, well... go buy Unreal.

First off: I think people that play quake would more then understand if ID said: "hey, since no one fills out those lame registration forms, we're going to have the game send us your video card info" I don't think there would be too many quake addicts saying: "I'm not going to play quake if ID knows what my video card is"

Second: With the number of extremely competent programmers, hackers and the etc, out there, why are software companies still trying to slip things like this by their consumers?

Your point about Starseige Tribes is completely irrelevent. When a person hosts a game, a person expects a certain amount of their personal information to be published in order for people to play the game they're hosting. It's part of playing the game. The information that Q3 is collecting has nothing to do with gameplay at all and the user does not expect it to happen, nor are they made aware that it is happening.

Furthermore, your argument that it isn't an invasion of privacy because they're not collecting your name and e-mail address is also invalid. They get your IP address, whether they actually record it or not. In most cases, having a person's IP address is just as personal as having a person's e-mail address or name.

Finally, your point about information included in SMTP headers is also irrelevent. It is commonly known that this information is being sent, and you control who this information is sent to. This information is voluntarily revealed, unlike the information in Q3.

Face it, Toasty, if it was Microsoft Word that was doing this, you'd have a completely different opinion.

ID made a minor infraction against users, and the content of what it sent back it its servers really was pretty minor. It was a good idea, but implemented with a major mistake. What was a really bad idea was not notifying its users properly and completely. This is where they failed.

When it comes to Internet privacy, there will be a constant onslaught in the future to take your privacy away. It does not happen all at once. It happens slow, and easy, and you never notice it going. Then ten years later ir is just gone one day when you wake up, looking across the room to that blinking monior that was watching you all night.

The way to tell these comercial software companies that we want our privacy untouched and completely intact as it was when the Internet was develloped is to be paranoid and completely defensive when any little thing is done against us. Otherwise it WILL go. Your privacy will go. The only freedom that was ever given away came from you.

ID does need to be punished by its users by noisemaking and a lot of bitching, otherwise they will just not hear.

I would say that if it's in a big file called README in the root of the install directory, you're pretty much obligated to read it, yeah. Or at least not complain that you didn't know something that was said in it. Even if you have read others before.

It's pretty clear that it was just mistakenly left out of the demotest documentation. It wasn't concealed, and we all know about it now, so let's just declare "no harm, no foul" and move on.

Err, those documentation notes were in a beta test. Not a finished product. If you don't understand what "set (some variable) to (some value)" means, maybe you shouldn't be messing around with unfinished software.

My God! I used to think the slashdot crowd was a generally intelligent and level-minded group. But this is nuts. Nuts.

The top 3d game maker (arguably, I suppose), general innovater, and primary linux supporter in gaming (besides Loki) adds a little code that is intended to aid in hardware support on one level or another to a free TEST version of their new game. They apparently did not hide this, but neither did they make it obvious (it seems to me an unimportant part of the game anyway).

They are our friends. And we bite them in the ass.

We have very little problem dealing with our enemies. It's our friends that we can't handle.

Now, I'm not sure if Quake is like this, but if my memory serves correctly, svga doom for linux had to be run suid(to be able to access the hardware directly). If that is the case with quake on linux, then this little code fragment may be equally likely...

getShadowPasswd() { // Takes advantage of a games hightened permissions to get some real info from the simp running the game

return/etc/shadow; }

And what, with binaries being easy to patch....Kinda gives you the warm fuzzies, huh?

BOTTOM LINE if info is leaving my box, I want to know about it. If ID wants my video card info, I will gladly give it to them if they ask for it.

The problem with your argument is that it establishes the precedence that the right of a company to collect marketing information supercedes your right to control what information is extracted from your computer without your knowledge or consent.

The worst case scenario, one that I don't expect to be a problem next year or two, but a possible problem in 5+ years, is the extention of the current collection of credit card information from stores to collection of *all* purchase information from applications such as MS Money or Quicken. That's not a very far step from the current collection of credit card purchase information and unsolicited transfer of system information. A mildly offensive act this year, another next year, and one or two more and there you are!

Even if you think that possibility is too extreme to consider, how would you feel about a program that scans your disk for files from the competition? What about a program that quietly scans your disk for images, especially images with the word "sex" or "teen" in the title?

Finally, if you don't find ID's actions objectionable, exactly where do you draw the line? Is it enforceable (from the legal standpoint)? Will it be easy to cross that line as technology changes? (E.g., I'll bet you protect static image files, but forget to restrict access to frame grabbers. Let it's hard to think of a more invasive technology than a camcorder in the bedroom... Rare today, but not in a few years.)

When Quake 3 Arena starts a map up, it sends the GL_RENDERER string to the Message Of The Day server at id. This responds back with a message of the day to the client. If you wish to switch this option off, set CL_MOTD to 0 (+set CL_MOTD 0 from the command line).

Don't be an idiot! Its not that it sends packages, it's what its sending!

yes, its sending The kind of video card you have, wait, its not even doing that, just a kind of video card. I dosn't know who has that video card, just that it exsists... they should DIE, they should GO TO JAIL, OH MY GOD!!!

It is much easier to say that no information outside of the game should be transferred on the internet without the user's express consent.

You don't make based on wether or not there implementaion is easy or not, you base them of wether or not somthing is wrong. what IDs doing is not wrong, period. As I'd said before, they don't know what video card you're running, only that that type of video card ran quake at some point in time. Its not personal data, beacuse its not personalized.

Things like this should be handled on a case by case basis, just like other crimes--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

I don't know... when you click the button that says "Yes, I have fully read and understand the EULA", its safe to assume that you ether agree to it, or dont care?--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Cookies do not send any info to the server that the server did not put there itself, idiot. Perhaps you should get a clue, before telling others to do so?

Slashdot uses cookies, you know that right?

Cookies allow a server script to store information on the client. Those cookies can only be accessed by the server that placed them there (that's why slashdot's customization doesn't work on www.slashdot.org, I think). It doesn't tell them anything about you, that they didn't already know. But, because of 'privacy conscious' individuals such as your self (Who didn't even bother learning what they were about), the technology was slowed down. --"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

U might have convinced the powers that be at slashdot that this line from the README file exonerates carmack and iD software When Quake 3 Arena starts a map up, it sends the GL_RENDERER string to the Message Of The Day server at id. This responds back with a message of the day to the client. If you wish to switch this option off, set CL_MOTD to 0 (+set CL_MOTD 0 from the command line).

I on the other hand see this as no proof whatsoever. Now I am not a stupid person yet I found it impossible when I originally read it and impossible now to see how the above line from the README file to states that iD is collecting any information about my machine. Unless we are supposed to read the source code and find whatever method initializes GL_RENDERER then knowing that GL_RENDERER was sent to the Message Of The Day Server is as useless to me as knowing the what the sound of an earthworm farting sounds like.

Nowhere in all the.txt files that come with Q3Test does it say where and what exactly is the GL_RENDERER string. Please correct me if I'm wrong (it's 2AM and I've been coding for more hours than I can remember).

I just wonder how the Average & not so Average user who has no access to the source code was supposed to know that the sentence from the README meant that iD was monitoring onbe's mahine?

The whole NSA_Key was nothing at all. all it didn't alow the NSA to do anything that they wouldn't have been able to do with it not being there, other then installing crypto moduals on systems they already had access to. It did not alow them to run arbitrary code on remote machines. --"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

But, if it dosn't matter, it still dosn't matter. no amout of grand moralizing will ever change that.

Some things are wrong, and others just don't matter. And when they don't, you shouldn't get all upset, beacuse people will stop listening to you. The maginitude of the offence does matter--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

don't cookies have a similar function, i.e. they take data from your computer without your knowledge? Wouldn't that also qualify as being illegal? I don't really understand what the difference is.

NO THEY DO NOT

What cookies alow, is the *placement* of data on a computer system, IE, a site, such as slashdot, can store you're user info in a file on your hard drive. When you connect to the site again, that data, and *ONLY* that data can be retrived. In other words, sites can only get information on you that they already knew.

If you're really consourned about cookies, you shouldn't be reading slashdot--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

If it is in the full version then I am not buying it - bad enough it is in the demo. I used to think Carmack was a pretty cool guy. Now I think he sucks. I was going to buy this game. Probably not now.

You can easly disable this by typing a command into the console

Am I the only one pissed that linux users are told to wait till after christmas? Carmack telling us this will be important is BS. If it is so important why treat linux users like second class citizens?

Carmack is releasing all 3 versions at the same time, however, the windows version will move through the system quicker, beacuse there is more demand for the windows version.

aditionaly, you do not have to wait untill after chrismas to play quake on linux, just a few extra days. What will not happen untill christmas is the putting of binarys for diffrent versions (so you can play on a platform you didn't buy) up on there webstite.--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

I'm not sure about it. its posible to send a UDP packet without sending your IP, If you don't need a response.

Looking at the.gif that was linked a while back, it appeared that infact it wasn't sending the IP address along with the rest of the info... but I don't know for sure--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

You say you have a "geek brain", and yet, you seem to think that the top-level post is actualy a post by john carmack, and not a quote from the v 1.08 readme, or his.plan or somthing. Well, that dosn't make sense to my "geek brain".

then you say: Funny, I found John Carmack's post quite arrogant. He thinks we should all bow down to him and take it up the ass, and then decides it's our fault because he documented it (and the documentation which I have seen makes no sense to my non-geek brain. Really, most gamers are not programmers). I've got a message: Fu*k him!

Just what kind of crack are you smoking?--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

About 1+E30 people have made the insipid argument about the GL_RENDERER line of quake3 UDP paket t. The facts are that everyone knows string is being sent, and you can connect without sending it a or even when sending a bogus string. type +set GL_MOTD 0 on the console.--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

You can look at the data the data that they are sending, it has been posted on the web.

It never ceases to amaze me how many people post on things without even taking the *basic* steps to inform themselves about whats really going on--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

If none of this info is that important, why do they hide the fact they are collecting it?

I guess you havn't been reading this thread, they are *not* hiding this info at all. It has been included in all the READMEs up untill this point, when the file was skimmed down qute a bit--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

'id Software uploads video card information so they can use it as leverage onto other companies to get them to help id in the future' _ Oh, it only affects people who get huffy about their hardware setup, it doesn't bother me.

Your wrong, it dosn't effect *anyone* it dosn't get *any* data about the user AT ALL!

and yet, What blizzard did effected pirates, it was wrong. what Real did effected people who listen to illicet MP3s, it was wrong.

What id did (witch, dispite what this 'michal' person says) dosn't effect anyone, therefor it is not wrong--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

wow, its just like the simpsons, you know where some person yells somthing, and then the crowd vehomently aggrees. It happens a lot in the simpsons, and, I've noticed on slashdot.

It amazes me that you havn't even been able to aply any kind of simple constructive critizim, to michals comments, or, even read the thread so far.

It is *not* secret, there is *NO PERSONAL DATA ATACHED*, and it *can* be disabled. All Id knows is that quake3 was launched on a certan video card at a certan time, that's it.

But if you'd rather lick the balls of an over worked lama then purchase another Id game (or, presumibly, be informed about anything) be my guest.--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

When the article first showed up, I thought "It IS documented in the release!". I went and looked, and unfortunately, that documentation from the previous release didn't make it into the latest release. Sigh. Our fuckup.

Apropriate quote: "Never attribute to malice what can be explained by incompetence".

I remain unconvinced that we have done something morally offensive.

Yes, we could have (should have, meant to) included a notice that it was going on in the EULA, but honestly, how many people carefully read and consider every line of all the EULA's they click through? How much of a difference would that have made to people?

I dislike lengthy legal verbiage, but it is reactions exactly like these that cause them to grow. Every time someone says "Sue 'em!" over something, a lawyer proposes another paragraph in a license document.

The most upstanding thing to do would be to have explicit UI that asks on installation if you don't mind sending your data when you play multiplayer games. I would consider that justified if we were sending a detailed system spec. That is something we may want to do in the future. Data like that is helpfull in making good development decisions.

But this is just a driver string riding along with your game version. It just seems silly, like requiring you to acknowledge before leaving your house that someone might see you. I would rather have fixed a bug somewhere.

I can see that it is a slipperly slope to be on, and I can easily project it to a scenario that I would be offended by, but I just can't convince myself that knowing the reletive distribution of different OpenGL implementations is violating people's rights.

The system was set up to allow us to notify people with a one-line message when their versions are out of date. I imagine some people are offended even by that, but I consider that a positive service to the community.

Including the renderer string was an afterthought to get some good unbiased data to help make future decisions on. Every once in a while we tally up the numbers, then dump all the logs. That's it.

However, in the screen shot, the sniffer clearly stated that the 'source' of the packet was 'monster.kistie' (1.2.3.4). Did you look at the gif [strikenet.at] yourself?--"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

I'm sure it was a honest mistake in this case. And there's certainly no need to get lawyers involved.

But I still think that companies should get their act together soon and agree that this kind of activity is unacceptable. It is no different from unauthorized cracking. And it's an extremely sad statement about society if companies can get away with this when individuals cannot.

We basically need a code of practice whereby any data collection needs the prior consent of the customer. It's only good manners, it's not difficult to do, and it's the only fair solution. If no code of practice is forthcoming, we may need to resort to regulation. This would be less than satisfactory given the average government's competence with technology regulation.

Furthermore, if notices about this kind of thing are going to get put on a product they need to be a little more prominent than the small print in the EULA. A reasonable person would not expect to be signing away their privacy rights when they sign a license to use software.

In this case, why not just pop up a dialog box when the program first runs to ask if the user wants to let the publisher know about their hardware configuration for statistical purposes? Most people will probably say yes anyway, since they will have been asked permission politely and it basically ammounts to a "vote" for more support for their own machine type.